Cyberattack On Collins Aerospace
European airports faced chaos this weekend (September 2025) after a cyberattack on Collins Aerospace’s airline check-in software forced a sudden return to manual processing. On Monday, the EU’s cybersecurity agency ENISA confirmed the incident was a ransomware attack, following days of flight delays and cancellations across multiple countries. The attack began late Friday and quickly crippled passenger services at key hubs like London Heathrow, Brussels, and Berlin, showing how a single supplier’s compromise can disrupt air travel on a continental scale.
Timeline Of The Attack On Collins Aerospace
The incident unfolded over several days. Key events were as follows:
Friday Night, 19 September, 2025
Anomalous activity was detected just before midnight, when cybercriminals compromised Collins Aerospace’s MUSE (Multi-User System Environment) platform, which handles airline check-in and boarding systems.
Saturday, 20 September, 2025
In the early hours of Saturday, the ransomware began encrypting core databases. Automated check-in systems failed at several airports – by dawn, London Heathrow had to revert to manual ticketing with thousands of passengers lining up, and similar chaos hit Brussels and Berlin Brandenburg airports. Collins Aerospace acknowledged it was aware of a cyber-related disruption affecting certain airports, but full details remained unclear at the time.
Sunday, 21 September, 2025
The outage persisted through Sunday. Airlines and airport staff continued using manual processes for a second day as cybersecurity agencies investigated behind the scenes. No official confirmation of the attack’s nature was given on Sunday, though efforts to restore the systems were ongoing.
Monday, 22 September, 2025
ENISA officially confirmed that a ransomware attack on Collins Aerospace caused the airport IT outage, with law enforcement brought in to investigate. The agency did not reveal which ransomware strain was involved or whether any ransom was demanded. Collins Aerospace reported it was in the final stages of restoring its software, yet airports were still cancelling flights and experiencing heavy delays on Monday. Brussels Airport, for example, cancelled roughly 60 flights that day as its systems remained down.
Wednesday, 24 September, 2025
British police arrested a man as part of the investigation into the ransomware attack. The individual was arrested on suspicion of offenses under the Computer Misuse and has since been released on conditional bail. It remains unclear which criminal group is responsible for the attack.
The Impact On European Airports
The ransomware attack on Collins Aerospace’s system sent ripples across European air travel. Several airports had to implement emergency measures to keep flights operating, with varying levels of disruption at each location:
Brussels Airport
This hub was among the hardest hit. Its check-in and baggage systems remained offline for days, forcing staff to use iPads and laptops to check in passengers manually. On Monday alone, about 60 flights out of roughly 550 were cancelled at Brussels, and many more were delayed. The airport even asked airlines to preemptively cut their Monday flight schedules by half, anticipating ongoing outages.
Berlin Brandenburg Airport
Berlin’s main airport also faced extensive disruption, with its automated check-in kiosks still down through Monday. Departures from Berlin saw delays of over an hour, as the airport relied on paper boarding passes and backup procedures. The situation was exacerbated by unusually high passenger volume from the Berlin Marathon, which compounded the long lines and wait times.
London Heathrow
Europe’s busiest airport felt the impact but to a lesser extent. Most flights at Heathrow continued operating, aided by airline-specific contingencies and extra staff stepping in to assist. A Heathrow spokesperson said that the “vast majority of flights at Heathrow are operating as normal, although check-in and boarding for some flights may take slightly longer than usual”. Certain carriers were largely unaffected thanks to their own backup systems (for example, British Airways’ separate check-in infrastructure helped keep delays minimal).
Dublin and Other Airports
Dublin Airport reported minimal issues, with some manual workarounds and delays. Not all major hubs rely on Collins Aerospace’s software – for instance, airports in Paris (Charles de Gaulle), Frankfurt, and Zurich were completely unaffected, because they use different systems for passenger processing. This contrast showed that the impact was concentrated on airports using the compromised MUSE platform.
Preventing Ransomware With BlackFog ADX
When Collins Aerospace’s MUSE system went down, airports across Europe were left scrambling. Check-in desks reverted to paper forms, baggage piled up, and flights were delayed. MUSE supports more than 170 airports worldwide, so one attack created a chain reaction that exposed the risks of relying on a single, centralized platform for operations.
The attackers targeted MUSE directly, deploying ransomware that disrupted passenger processing and baggage handling for days. Once inside, the ransomware likely spread across systems, locking down key services and leaving airports with no option but manual workarounds.
This is exactly the type of scenario BlackFog ADX is built to stop. Most ransomware depends on outbound communication to fetch encryption keys, exfiltrate stolen data, or phone home to a command server. Anti data exfiltration (ADX) cuts those connections in real time, stranding the malware before it can complete its playbook.
On top of that, ADX monitors how processes behave on each endpoint. If a server suddenly starts encrypting files, modifying system functions, or probing the network, those actions are flagged and terminated, without needing a signature. This pattern-based detection is designed to catch both known and emerging ransomware families. Anti-surveillance measures add another layer by blocking malicious code from profiling endpoints.
Because most ransomware blends file encryption with data theft, ADX’s approach tackles both problems at the source. No solution promises perfect security, but shutting down these behaviors at the endpoint level makes it far more likely an attack gets contained early, before it cascades into mass disruption.
Want to see ADX in action? Get in touch with BlackFog today.
Share This Story, Choose Your Platform!
Related Posts
Ransomware On Collins Aerospace Halts Check-In At Major Airports
In September 2025, Collins Aerospace was hit by ransomware, disrupting check-in at European airports with delays, cancellations, and manual operations.
Infostealers Explained: The Hidden Gateway to Ransomware
Infostealers compromise credentials and open the door to ransomware. Learn what they are, how they work, and key steps to keep your business safe.
Data Poisoning Attacks: How Hackers Target AI-Driven Business Systems
Data poisoning corrupts the information resources that AI systems rely on. Learn how this growing threat works, why it matters and what steps your business can take to defend against it.
What is Cyber Resiliency and Why Does it Matter in 2025?
Discover why cyber resiliency is vital in 2025 as firms face complex threats. Learn how businesses can adapt, recover and protect trust.
The Interlock Ransomware Problem Security Teams Can’t Ignore
Interlock ransomware is disrupting healthcare, cities, and infrastructure in 2025 with fake update lures, data theft, and double extortion tactics.
Effective Data Security Management: Strategies and Best Practices
What must firms do to develop an effective data security management strategy? Here are some key best practices to follow.